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Abstract Algebraic and fast algebraic attacks are power tools to analyze 
' stream ciphers. A class of symmetric Boolean functions with maximum 

algebraic immunity were found vulnerable to fast algebraic attacks at EU- 
ROCRYPT'06. Recently, the notion of AATZ (algebraic attack resistant) 
functions was introduced as a unified measure of protection against both 
classical algebraic and fast algebraic attacks. In this correspondence, we 
first give a decomposition of symmetric Boolean functions, then we show 
that almost all symmetric Boolean functions, including these functions with 



> 

■ good algebraic immunity, behave badly against fast algebraic attacks, and 
we also prove that no symmetric Boolean functions are AA1Z functions. 

■^J- ■ Besides, we improve the relations between algebraic degree and algebraic 

O ' immunity of symmetric Boolean functions. 

■ Key Words stream cipher, symmetric Boolean function, algebraic at- 
tacks, algebraic immunity, algebraic degree. 
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X 1 Introduction 

S3' 

Boolean functions are frequently used in the design of stream ciphers, block ciphers 
and hash functions. One of the most vital roles in cryptography of Boolean functions is 
to be used as filter and combination generators of stream ciphers based on linear feed- 
back shift registers (LFSRs). Symmetric functions are an interesting subclass of Boolean 
functions for their advantage in both implementation complexity and storage space (see 

0). 

In recent years, algebraic and fast algebraic attacks [151 El H] have been regarded 
as a great threat against LFSR-based stream ciphers. These attacks use cleverly over- 
defined systems of multi- variable nonlinear equations to recover the secret key. Algebraic 
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attacks lower the degree of the equations by multiplying a nonzero function while fast 
algebraic attacks by linear combination. Thus algebraic immunity (AI) was introduced in 
[To] to measure the ability of Boolean functions to resist algebraic attacks while the notion 
of AATZ (algebraic attack resistant) functions in [llj as a unified measure of protection 
against both classical algebraic and fast algebraic attacks. 

The maximum algebraic immunity (MAI) of n- variable Boolean functions is |~|] [7]. 
The majority function achieves MAI [HI Ej. For odd n, the majority function is the only 
symmetric MAI functions, up to addition of a constant [T2l [T5] . However, the majority 
function was found vulnerable to fast algebraic attacks in [2] at EUROCRYPT'06. 

All the symmetric MAI functions on 2 m variables were obtained in [T7J, [H] and were 
proven having algebraic degree 2 m ~ 1 or 2 m . Moreover, all the symmetric functions on 
2 m + 1 variables with sub-MAI 2 m_1 were derived in [T3]. A general method to construct 
symmetric MAI functions was further provided in [16] . Nevertheless, we find all these 
functions but few very vulnerable to fast algebraic attacks despite their resistance against 
classical algebraic attacks. 

A preprocessing of fast algebraic attacks on LFSR-based stream ciphers, which use a 
Boolean function / as the filter or combination generator, is to find a function g of small 
degree such that the multiple gf has degree not too large. For any pair of integers (e, d) 
such that e + d > n, there is a nonzero function g of degree at most e such that gf has 
degree at most d [6] . We concentrate on the minimum of e + d and introduce the notion 
of fast algebraic immunity (FAI), which generalizes the notion of AATZ. The full fast 
algebraic immunity (FFAI) of Boolean functions is n and FFAI functions are equivalent 
to AA1Z functions. 

In this correspondence, the fast algebraic immunity of symmetric Boolean functions is 
studied. It's found that any symmetric function is a composition of a Boolean function and 
elementary symmetric functions with degree equal to a power of 2 and that the set of all 
symmetric functions with degree at most 2 k — 1 is a ring generated by a\, cr 2 , 04, • • • , a 2 k-i 
and isomorphic to It's further shown that almost all symmetric Boolean functions 
behave badly against fast algebraic attacks. For one thing, any symmetric function with 
degree not equal to a power of 2 has FAI strictly less than its degree, for another, in the 
case n close to 2'- log 2 n l ) symmetric functions with AI at least 2'- log 2 n l/2 have FAI close 
to n/2, which is almost the worst case against fast algebraic attacks. Unfortunately, all 
but few symmetric functions shown to be immune to classical algebraic attacks in the 
previous literatures, such as [TTJ [JJ1 EH [16], fall into the case that n is either equal to 
or a little more than 2 L lo S2 . One (or more) function g with small degree, such that gf 
has degree not large, is straightway derived from the SANFV of /, while the algorithm 
proposed in [2] at EUROCRYPT'06 to determine g and gf for a symmetric function / 
has complexity 0(n 3 ). Furthermore, it's proven that there exist no symmetric FFAI (i.e. 
AATZ) functions. Lastly, the relations between algebraic degree and algebraic immunity 
of symmetric Boolean functions are improved. 2 L lc, ga( 2ct — 1 )J j s the lower degree of symmetric 
functions with AI a. This bound is tight for symmetric MAI functions. 

The remainder of this correspondence is organized as follows. In Section El some 
basic concepts are provided and the notion of fast algebraic immunity is introduced, while 
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Section [3] presents the decomposition of symmetric functions. Section H] studies the fast 
algebraic immunity of symmetric functions and Section [5] discusses the relations between 
algebraic degree and algebraic immunity of symmetric functions. Section [U] concludes the 
correspondence. 

2 Preliminary 

An n- variable Boolean function is a mapping from FJ? into F2, where F2 denote the 
binary field. A Boolean function is said to be symmetric if its output is invariant under 
any permutation of its input bits. Denote by B n (resp. SB n ) the set of all Boolean 
functions (resp. symmetric Boolean functions) on n variables. Any function / G B n can 
be uniquely represented as a truth table 

/ = 0, • ■ ■ ,0), /(l, 0, ■ • • , 0), • ■ • , /(l, 1, • ■ ■ , 1)] G wl" , 

or as a multivariate polynomial over F2, called the algebraic normal form (ANF), 

= a c xTxf ■ • a c G F 2 . 

c=(ci,c 2l - ,c n )eF£ 

The algebraic degree of /, denoted by deg(f), is given by max ac ^ wt(c), where wt(c) 
denote the Hamming weight of c. Any function / G SB n can be uniquely represented as 
a vector 

v f = (v f (0),v f (l),---,v f (n))e¥ n 2 + \ 

where v/(i) represents the function value for vectors of weight i. Let crj be the z-th 
elementary symmetric function of X\,X2, ■ ■ ■ ,x n . The symmetric function / can also be 
uniquely represented as 

n 

f(x) = J2 x fW ai > A/(i)eF 2 . 

8=0 

The vector A/ = (A/(0), A/(l), • • • , A/(n)) is called the simplified algebraic normal form 
vector (SANFV) of /. More properties of symmetric Boolean functions can be found in 
0- 

The algebraic immunity of Boolean functions is defined as follows. 

Definition 1. J73] / Let f be an n-variable Boolean function. The algebraic immunity (AI) 
of f , denoted by AJ(f), is defined as 

M(f) = mm{deg(g)\gf = or g(f + 1) = 0}. 

To resist fast algebraic attacks, the Boolean function / shouldn't admit a function g of 
small degree such that the multiple gf has degree not too large. There are several notions 
of the immunity of Boolean functions against fast algebraic attacks in previous literatures, 
such as [TU], but they separately treat the two parameters deg(g) and deg(gf). Recently, 
the notion of AATZ (algebraic attack resistant) functions was introduced in [11] as a 
unified measure of protection against classical algebraic attacks as well as fast algebraic 
attacks. 
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Definition 2. 01]/ Let f be an n-variable Boolean function. The function f is called 
AAIZ if f has MAI and deg(g) + deg(gf) > n for any function g with 1 < deg(g) < n/2. 

However, AATZ is too restrictive to achieve. A 9- variable AATZ function was observed 
in [I]. A class of almost AATZ functions were constructed in [TTj by iteration. While it's 
still unknown whether there are AATZ functions for any n. 

For any Boolean function /, from the definition of AI there always exists a function 
g of degree equal to AI(f) such that gf — or gf — g. Therefore the minimum 
of deg(g) + deg(gf) is smaller than or equal to 2AI(f). The notion of fast algebraic 
immunity is introduced as follows. 

Definition 3. Let f be an n-variable Boolean function. The fast algebraic immunity 
(FAI) of the function f , denoted by J-'AT(f), is defined as 

TAZ{f) = min A2AX(f), deg(g) + deg(gf)}. 

g:l<deg( 5 )<AT(/) 

From the above definition, we know that AI(f) + 1 < J r AT(f) < deg(f) + 2 since 
AT(f) + 1 < deg(g) + deg(gf) for any nonconstant function g with degree less than AT(f) 
and deg(7) + deg(//) < deg(/) + 2 for any affine function I. 

For any pair of integers (e, d) such that e + d > n, there is a nonzero function g of 
degree at most e such that gf has degree at most d [B]. Hence, the full fast algebraic 
immunity (FFAI) of n-variable Boolean functions is n. It is clear that any Boolean 
function has AI greater than or equal to a half of its FAI. Therefore FFAI functions are 
also MAI functions and are equivalent to AATZ functions. By almost FFAI or almost 
AATZ functions we mean Boolean functions with FAI n — 1. 



3 Decomposition of symmetric Boolean functions 

Thereinafter, may be regarded as mod 2 G F 2 if there is no ambiguousness. 

Lemma 1. Let Oi and aj be i-th and j-th elementary symmetric Boolean functions on n 
variables, < i, j < n. Then we have 

a "' = §0(*-j)' 4 = fiG)(*-i)' 4 - 

In particular, o~j = a,j . 

Proof. Expanding the product a^aj gives (™) (^Z*) W_ •) monomials with degree k for 
j < k < j + i and < k < n. Since the product a^aj is also a symmetric function 
and (jfc consists of monomials with degree k, the coefficient of in a^aj equals to 
= ©(A)- Since f 2 = f for an y Boolean function /, we also have 

0* = <Tj. □ 

Corollary 2. 1. cr 2 si+... + 2 s fc = a^nc^ • • • for pairwise different s±, S2, ■ ■ • , 
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2. Ift>l and j < 2 s then a t . 2 =+j = <Jt-2 s<J j- 
Proof. 1) Consider the polynomial (1 + x) 2 " G F 2 [x]. Since 1 + x 2 " = (1 + x) 2 " = 
Y2l=o (fc) xA: > we nave (T) =1 if an d only if k = 0, 2 s . By Lemma [T] we have 




If j < 2 s , then U„) = and ( 2 2 t J ) = 1 (considering the polynomial (1 + x) 2S+ i G F 2 [x]), 
and by Eq.([T]) we have <y 2 s<jj = (T 2 s +j- Assuming si < s 2 < ■ ■ ■ < Sk without loss of 
generality, since 2 Si ~ 1 H — - + 2 Sl < 2 Si for 2 < i < k, we have a 2 s i a 2 H-i + ... +2 s 1 = a 2 s i+ ... +2 s 1 
and therefore a 2 » k+ ... +2 s 1 = o- 2 s k a 2 " k -i + ... +2 s 1 = ■ ■ ■ = a 2 s k a 2 ^ k -i ■ ■ -a^i. 

2) Let t ■ 2 s = 2 s + 2 Sl + ■ ■ ■ + 2 Sk , s < s 1 < ■ ■ ■ < s k . From 1) we know 
a t . 2 s = a 2 s k ■ ■ ■ cr 2 s iO"2 s , and hence a t -vOj = a 2 s k ■ ■ ■ o 2 s 1 o 2 sOj = a 2 s k ■ ■ ■ a 2 s 1 a 2 s + j = ■ ■ ■ = 

0~2 3 k+:.+2 s +j — 0~t-2 s +j- D 

From the above corollary we obtain the following results proven in [3] . 
Corollary 3. Let m = |_log 2 ?\| and j = ^2™ =0 jk2 k , 3k G {0, 1}. Then we have 

1. a . = a f a h a n... a i 2Z . 

2. Ifn - 2 m < j < 2 m then o 2m Oj = 0. 

3. OiOj = o~i\jj where V means OR operation. 

Proof. 1 ) It is affirmed by Corollary El (1) . 

2) It is derived from the fact that j for j < 2 m by Corollary [2] (2) and 
there is no a 2 m + j for 2 m + j > n. 

3) It can be deduced from 1) since a\ a = o 2 s. □ 

Thanks to the work above, the decomposition of symmetric Boolean functions is given 
as follows. 

Theorem 4 (Decomposition of symmetric Boolean functions). Let f G SB„ and m = 
[log 2 n\ . 

1. The symmetric function f is a composition of an (m + l)-variable Boolean function 
F m+ i and elementary symmetric functions <7i, a 2 , 0-4, ■ ■ ■ , a 2 m : 

f(x) = F m+1 (ai, cr 2 , 0-4, ■ ■ • , cr 2 m). 

In particular, if f has degree at most 2 k — 1, then f(x) = Fk(o~i, o~ 2) CT4, • • • , a 2 k-i), 

2. Furthermore we have 

in 

f( x ) = ^2 a *fi(x) + fk(x), 

i=k 

where fi (k < i < m) and f^ are symmetric functions of degree at most 2 l — 1 and 
2 k - 1. 
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Proof. 1) Let f(x) = £™ =0 X f (j)^j, G F 2 . By Corollary^ we have ^ = afofaf • • • a{z 

and hence 

n n 

/(*) = E A /0>i = E */tt)*M*£ ■ ■ ■ 

3=0 j=0 

Let F m+1 G B m+ i and 

F m+1 (y u y 2l ■ ■ ■ ,y m +i) = E x f0)yi°y2 ■ ■■Vm+v 

0<j<n 

Then 

f(x) = F m+1 (a 1 ,a 2 ,(T4, ■ ■ ■ ,cr 2 m). 

The same proof shows /(x) = F^(cri, <r 2 , cr 4 , ■ • • , cr 2 *-i) with F fc G B fc when deg(/) < 2 fc — 1. 

2) Since F m+1 is a Boolean function, we can write F m+X (y u ■ ■ ■ , y m+ i) = Y.T=k Vi+i F i{Vu ■ ■ , Vi)+ 
F~(y 1 , ■ ■ ■ , y k ), k > 1. Therefore 

f(x) =F m+1 (cr 1 , cr 2 , cr 4 , • • • , cr 2 m) 
m 

= E cr 2 i -F 1 t(o"i,0'2,cr4, • • • ,cr 2 i-i) 

Let = ^((Ji,^,^, • • • ,cr 2l -i) (k < i < m) and = F^(<7i, cr 2 , cr 4 , • • • ,a 2 k-i). 

The symmetric function /, has degree at most 2 l — 1 since the degree of cxjV^a^ 2 • • • cr^-i 
can not exceed 1 + 2 + 4 + • ■ ■ + 2 1-1 = T — 1. Similarly, /^T has degree at most 2 fc — 1. □ 

Note that [log 2 (n+l)] = |_log 2 nJ + l. Theorem H] shows that an n- variable symmetric 
Boolean function corresponds to a |~log 2 (n + 1)] -variable Boolean function. Furthermore, 
a symmetric Boolean function of degree at most 2 k — 1 corresponds to a k- variable Boolean 
function. 

Theorem 5. Let 1 < 2 k < n + 1. T/ien i/ie set of all functions in SB n with degree at 
most 2 k — I, denoted by SB^ _1 ; is the ring < a±, a 2 , cr^, ■ ■ ■ ,cr 2 k-i > and isomorphic to 
Bfc. 

Proof. From Theorem H] we know SB,^ _1 is contained in R =< a%, a 2 , 04, ■ • • , o 2 k-\ >. 
We just check that R is an isomorphism of B^ since |B fc | = |SB^' _1 |. Let 

r : B fc -»• R, f(y u y 2 , ■ ■ ■ , y k ) i-> f(a 1 , a 2 , 04, ■ ■ • , a 2 k-i). 

From Theorem H] we know r is a injection. By Lemma [1] we know a\ a = cr 2 s, and hence r 
is a surjection. Let f,gE B^. It's clear that r(/ + g) — r(f) + t(o). Since r(y s ) = a 2 s-i 
for 1 < s < k, we have r(Il k =1 y^ s ) = U. k =1 a^i — n^ =1 r Cs (|/ s ) and therefore r(fg) = 
r(f)r(g). ' □ 

Corollary 6. SB 2 m_ 1 is an isomorphism o/B m . 
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The upper degree of the product of two symmetric Boolean functions is given as 
below. 

Corollary 7. Let gj £ SB n , deg(g) < 2 k - 1 and deg(f) < t ■ 2 k - 1 (t > I). Then 
deg(gf)<t-2 k -l. 

Proof. It holds for t — 1 since SB 2 _1 is a ring by Theorem [5j Consider the product OiOj 
with i < 2 k - 1 and 2 k < j < t ■ 2 k - 1 when t > 1. Let j = tf ■ 2 k + j', 1 < t' < t - 1, 
ji < 2 fe — 1. From Corollary [2] we have 0{Oj = OiO^.^^y = o~i<jjio~ t i . 2 k, which has degree at 
most if ■ 2 k + 2 k - 1 < t ■ 2 k - 1 since a l a y G SB 2 * -1 . □ 

From the above corollary we know SB 2 _1 SB^ 2 _1 = SB*j 2 _1 for t > 1. 

4 Fast algebraic attacks on symmetric Boolean func- 
tions 

In this section, we will first show that fast algebraic attacks on symmetric Boolean func- 
tions work efficiently, and then prove the nonexistence of symmetric FFAI functions. 

Theorem 8. Let f e SB n , f(x) = a 2t+ \ + Y^t=a A/t^) "* an( ^ 9{ x ) = a i + A/(2t) + 1. Then 
the multiple gj has degree at most 2t — 1. Moreover, if A/(2t) = ; then (cti + 1)/, if 
nonzero, has degree 2s + 1 where s is maximum such that A/(2s) = 1; if A/(2i) = 1, then 
°~if > if nonzero, has degree 2s + 1 where s is maximum such that A/(2s) + A/(2s + 1) = 1. 

Proof. It's trivial for t = 0. Then assume t > 1. 

By Corollary [21 we have aia 2i = cr 2i+ i and therefore oxOn+i = °~2i+i- Hence 

h(x) = (a 1 + X f (2t) + l)f(x) 

2t-l 

= (a, + X f (2t) + l)(a 2t+1 + X f (2t)a 2t + ^ \ f (i)(Ti) 

i=0 

t-i 

= ^[A / (2t)A / (2 ? + l) + A / (2z)]a 2m 
t-i 

+ 5^/(2*) + l)A,(2i)H, 

i=0 

showing deg(h) < 2t — 1. 
If X f {2t) = 0, then 

t-i t-i 
h(x) = 22 X f {2i)a 2i+ i + ^ X f (2i)a 2i 

i=0 i=0 

and therefore deg(h) = 2s + 1 when s is maximum such that A/ (2s) = 1. 
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If \ f (2t) = 1, then 

t-l 

= £[A,(2i + 1) + \ f (2i)]a 2i+1 

i=0 

and therefore deg(/i) = 2s + 1 when s is maximum such that A/(2s) + A/(2s + 1) = 1. □ 

Remark. If A/(2s) = (resp. A/(2s) = A/(2s + 1)J /or any s wift < s < £, £/ien we 
aawe (o"i + 1)/ = (resp. a\f — 0). 

Theorem [S] gives an affine function g such that gf has degree at most deg(/) — 2 for 
odd deg(/). In other words, any symmetric function with odd degree has FAI strictly 
smaller than its degree. Although the product gf has odd degree if gf ^ 0, we cannot 
apply the theorem recursively to gf to lower the degree of / since g ■ gf = g ■ f and 
(g + l)-gf = 0-f. 

From Theorem [HI we know that 2~ l is the probability that gf = and 2~ % the 
probability that gf has degree deg(/) — 2i. Consequently, the expectation of the degree 
of gf is deg(/) — 4 when deg(/) is large. 

Corollary 9. The expectation of the degree of the product gf of Theorem^ is deg(/) — 4 
when deg(/) tends to infinity. 

Now we consider symmetric Boolean functions with degree not equal to a power of 2. 

Theorem 10. Let f G SB n and deg(/) > 2 k > 1. If 2 k does not divide deg(f), then 
there exists a nonconstant function g of degree at most e with e = deg(/) mod 2 k such 
that the product gf has degree at most deg(/) — e — 1. 

Proof. Let deg(/) = t ■ 2 k + e, t > 1, < e < 2 k . Let f{x) = a t . 2k+e + E!=o +e_1 A/(z>i. 
By Corollary [21 we have c t . 2 k +i = cr t . 2 kai for < i < 2 k , and therefore 

e-l t-2 k -l 

f{x) =a t . 2fc (a e + ^A / (t-2 fc + i)a J )+ ^ A/(i)«7 f . 

1=0 8=0 

Let g(x) =cr e + YX=l ^/(* ' 2 ^ + + 1 and = Zli=o _1 ^f{i) a i- Then 

/(z) = a t . 2 k(g(x) + 1) + 

and hence a/ = gf~. On one hand, the symmetric function g has degree e; on the other 
hand, by Corollary [71 the function gf~ has degree at most t-2 k — I = deg(/) — e — 1. □ 

The theorem not only proves the existence of the function g but also explicitly iden- 
tifies several such functions. More exactly, the number of g's is 1 less than the weight of 
deg(/). 

Taking k = [\og 2 deg(/)J , if deg(/) ^ 2 k then there is a nonconstant function g such 
that deg(a) + deg(p/) < deg(/) — 1 and therefore the following result is obtained. 
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Corollary 11. Let f G SB n and deg(f) > 1 is not a power of 2. Then J 7 Al(f) < 

deg(/)-l. 

Theorem [10] and Corollary [TT] show that symmetric functions with degree not equal 
to a power of 2 do not behave well against fast algebraic attacks. Then we consider 
the symmetric functions with degree 2'- log 2 ri -l. For the case n — 2L log 2 n J large, 2'- log 2 n l is 
very small compared with n and therefore the symmetric functions with degree 2 L lo S2 
naturally behave badly against fast algebraic attacks. For n — 2 L log 2 n J not too large, we 
will show fast algebraic attacks on the symmetric functions with any degree are also very 
efficient. These imply that almost all symmetric Boolean functions are vulnerable to fast 
algebraic attacks. 

Now we consider the symmetric functions on n variables, including the functions of 
degree equal to a power of 2, for the case n — 2 L lo S2 smaller than 2L log 2™l /2 — 1. 

Theorem 12. Let f 6 SB n and 2 m < n < 2 m + 2 m ~ 1 - 1. Then AL(f) < 2 m ~ x - 1 or 
deg(aj) = 2 m ~ x + e with e = n - 2 m + 1. 

Proof. By Theorem H] we have 

f{x) = a 2 mf m (x) + (7 2 m-i fm-x{x) + f~^(x), 

where f m is a symmetric function of degree at most 2 m — 1, and f m -i,f~_ l are of degree at 
most 2 m ~ x - 1. Let g = 0" e (/ m _i + 1). Since n < 2 m + 2 m ~ l - 1, we have e = n-2 m + l < 
2 m_1 and therefore deg(g) < 2 m ~ 1 — 1 by Corollary [71 By Corollary [3], we have o e o<i™ = 
since n — 2 m < e < 2 m . If g ^ 0, then gf = gf^-i which is again of degree at most 
2 m ~ 1 — 1 by Corollary [7J This means / or / + 1 admits an annihilator of degree at most 
2 m ~ 1 — 1, that is, AX(f) < 2 m ~ 1 — 1. Otherwise g = 0, then cr e / m _i = a e and hence 
o~ e f = o-2m-i +ae + £7 e ./ra-iJ which is of degree 2 m_1 + e. □ 

Remark. The same proof shows that the theorem applies to e with n — 2 m < e < 2 m ~ 1 , 
but e = n — 2 m + 1 is minimum. 

Theorem [T2] shows that symmetric functions on n variables with n — 2 L lo S2 no t 
large are vulnerable to fast algebraic attacks. Especially if n is close to 2L log 2"J, then 
e = n - 2L log 2"J + 1 is close to 1 and d = 2^ n i/2 + e is close to n/2, so e + d is 
close to n/2, and therefore the symmetric functions with AI at least 2L log 2 n J/2 are very 
vulnerable to fast algebraic attacks. For example, any symmetric MAI function / on 
2 m variables admits the linear function o\ such that <j\j has degree 2 m ~ 1 + 1 while any 
symmetric function / on 2 m + 1 variables with MAI 2 m_1 + 1 or sub-MAI 2 m_1 admits 
the quadratic function o"2 such that a^f has degree 2 m_1 + 2. They are almost the worst 
cases against fast algebraic attacks since any function with AI a has FAI at least a + 1. 
Unfortunately, the symmetric MAI functions obtained in (T7J |T5j are in the case n = 2 m 
and the symmetric sub-MAI functions derived in [13] have n = 2 m + 1. Moreover, the 
symmetric MAI functions constructed in [161 Theorem 2.4] have n e [2 m ,5/4 • 2 m ], and 
therefore these functions admit a e with e < n/5 such that a e f has degree at most 3n/5. 
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Theorem [121 also gives g = cr e (/ m _i + 1) 7^ and h = o" e (/m-i + l)/ m -i both with 
degree at most 2" 1 " 1 — 1 or g = a e with degree e and h = <J 2 ™-i +e + cr e / m _ 1 with degree 
2m-i _|_ e guch ^hg^ _ ^ ^he symmetric functions with AI at most 2 m_1 — 1 = 
2U°g2«J/2 - 1 naturally have FAI at most 2 m - 2 = 2 L lo g2 «J _ 2. And these symmetric 
functions with AI at least 2 m - 1 = 2^ "J /2 have FAI smaller than or equal to 2 m ~ 1 + 2e = 
2^-i + 2{n - 2 m + 1) = 2n - 3 • 2™- 1 + 2 = 2n - 3 • 2 L lo S2 "J /2 + 2. 

Corollary 13. Let f G SB„ and 2 m < rt < 2 m + 2 m ~ x - 1. Then TM{j) < max{2 m - 
2,2n-3-2 m - 1 + 2}. 

The following theorem proves the nonexistence of symmetric FFAI functions. 

Theorem 14. Let n > 5 and f G SB n . Then J 1 'AI(f) < n. 

Proof. Corollary [TT] has proven the case that / has degree not equal to 2 m . When / has 
degree 2 m , we just check the cases n = 2 m , 2 m + 1 or 2 m + 2. These cases have been 
proven in Corollary [TJ if 2n - 3 • 2 m ~ l + 2 < n < 2 m + 2 m ~ x - 1, i.e. m > 3 forn = 2 m , 
2 m + 1 and m > 4 for n = 2 m + 2. The rest cases n = 5, 6, 10 are confirmed by computing 
all possible values of FAI for the symmetric functions on 5, 6 or 10 variables. □ 

5 Relations between algebraic degree and algebraic 
immunity of symmetric Boolean functions 

In this section, we will study the relations between algebraic degree and algebraic immu- 
nity of symmetric functions. It's well known that for any Boolean function / the algebraic 
immunity is less than or equal to its algebraic degree since /(/ + 1) = 0, whereas the 
relations between algebraic degree and algebraic immunity can be improved for symmetric 
functions. 

Proposition 15. Let f G SB„. If f has degree not equal to a power of 2, then AI(f) < 
2 Liog 2 dc g (/)j > Consequently, we have AZ(f) < 2L lo S2dcg(/)J j or any f G SBn 

Proof. Let k = [log 2 deg(/)J . By Theorem H] we have / = cr 2 fc ,/fc + /aT' where fk is a 
symmetric function of degree deg(/)— 2 k and of degree at most 2 fc — 1. Let g = /jt+1 and 
h = gf k ~. Then gf = h, deg(g) = deg(/)-2 fc < 2 fc -l and deg(h) <2 k -l. If deg(/) ^ 2\ 
then g ^ and therefore M(f) <2 k -l. If deg(/) = 2 k , then M(f) < deg(/) = 2 k . □ 

Corollary 16. Let f G SB„, Then deg(/) > 2^ M ^ = 2^(^(1)-^ . 

Proof. We only check the case AI(f) > 1. Let a = AX(f) and d = deg(/). Proposition [TS1 
shows that log 2 a < [log 2 d\ , i.e. [log 2 a] < [log 2 d\ . Hence d > 2^ a l = 2L 1 °S2( 2a - 1 )J . □ 

Siegenthaler's inequality [19] states that any m-th order correlation-immune function 
has degree at most n — m and any m-resilient function (0 < m < n — 1) has degree at most 
n — m — 1. Therefore the order of correlation- immune (resp. resiliency) of any symmetric 
Boolean function with AI equal to a (a > 1) is smaller than or equal to n — 2L 1 °S2( 2a - 1 )J 
(resp. n -2L 1 °S2( 2a - 1 )J - 1). 

Now we consider the lower bound of algebraic degree for symmetric MAI functions. 
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Corollary 17. Let f G SB n and AI(f) = [f ] . T/jen deg(/) > 2L lo s 2 ("-i)J _ 

Proof. Since [§] > f, by Corollary [H, we have deg(/) > 2L lo S2(«-i)J . □ 

For every n, there exist symmetric MAI functions on n variables of degree 2L log 2 n J. 
For example, the majority function / achieves MAI and also has degree 2L log 2 n l [§]. When 
n = 2 m , the function cr 2 m-i achieves MAI [3]. In addition, all the symmetric MAI functions 
on 2 m variables were obtained in [T7J [H] and were proven having algebraic degree 2 m_1 
or 2 m Notice that 2L log 2(^ 1 )J = 2 L lo sa if n ^ 2 m , and 2L 1 °S2(«- 1 )J = 2™" 1 if n = 2 m . 
Therefore the bound of Corollary [IT] is tight. 

Table 1: The upper algebraic immunity of symmetric functions with designated degree 



deg 


d 


1 2-3 4-7 8-15 16-31 32-63 64-127 128-255 


Upper AI 


2 U°g2 d \ 


1 2 4 8 16 32 64 128 



Table 2: The lower degree of symmetric functions with designated algebraic immunity 



AI 


a 


1 2 3-4 5-8 


9-16 17-32 33-64 65-128 


Lower deg 


2 r io §2 a i 


12 4 8 


16 32 64 128 



Notice that the relation between algebraic degree and algebraic immunity of sym- 
metric Boolean functions doesn't relate to the number of variables. Therefore the bounds 
listed in Table [1] and Table [2] are true for any reasonable n. We leave a open problem 
whether the bound is tight when AI isn't MAI. 

6 Conclusion 

Symmetric Boolean functions, which can be considered as compositions of Boolean 
functions and elementary symmetric functions with power-of-2 degree, behave badly 
against fast algebraic attacks, so these functions are unfit to be used in stream ciphers. 
In other words, if symmetric functions are used in the design of ciphers, fast algebraic 
immunity should never be ignored, and the number n of variables had better be neither 
equal to nor a little more than 2 m . n approximating 3 • 2 m_1 seems to be a good choice 
but it still need further study. 
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